Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive/Negative: #844

Open
Gitabhsuosowo opened this issue Sep 30, 2024 · 20 comments
Open

False Positive/Negative: #844

Gitabhsuosowo opened this issue Sep 30, 2024 · 20 comments
Labels
bug

Comments

@Gitabhsuosowo
Copy link

Output of suspected false positive / negative

Post any useful information like the ID of the test causing the false positive.

Debug output

Run:

./nikto.pl -host targethost -Save false_positive

This saves all positive responses to a new false_positive directory. Afterwards look
for the related ID of the false positive / negative and paste it below.
@sullo
Copy link
Owner

sullo commented Oct 2, 2024

Do you have an issue to report? No info here.

@top-kat
Copy link

top-kat commented Nov 1, 2024
edited
Loading

Thx @sullo for being reactive!

Here is one of my scan

➜  program git:(master) ./nikto.pl -h http://localhost:9086/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ ERROR: Unable to open database file db_headers_suggested: .
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        9086
+ Start Time:         2024-11-01 14:29:13 (GMT1)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ No CGI Directories found (use '-C all' to force check all possible dirs)
called once
+ /servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes.
+ /ss000007.pl?PRODREF=<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1732
+ /modules.php?op=modload&name=Members_List&file=index&letter=<script>alert('Vulnerable')</script>: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS).
+ /html/partner.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script>: myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS).
+ /article.cfm?id=1'<script>alert(document.cookie);</script>: With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS).
+ /diapo.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2397
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsite.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsql.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/modules/cache.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/settings.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /functions.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Downloads/voteinclude.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/WebChat/in.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Your_Account/navbar.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /options.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /shop/php_files/site.config.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /uifc/MultFileUploadHandler.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /index.html.ru.iso-ru: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. See: CWE-552
+ /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<script>alert('Vulnerable')</script>: Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1212
+ /sysuser/docmgr/info.stm?path=<script>alert(document.cookie)</script>: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). See: https://seclists.org/fulldisclosure/2003/Mar/265
+ /pls/portal/PORTAL.wwv_ui_lovf.show: Access to Oracle pages could have an unknown impact.
+ /pls/portal/PORTAL.wwv_dynxml_generator.show: Access to Oracle pages could have an unknown impact.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ 7856 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2024-11-01 14:29:32 (GMT1) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

All that are false positive since in all cases my server returns a 404 response without a body or a content.

Maybe I did something wrong (it's my 1st time using the tool so sorry if it's a dumb question.

@sullo
Copy link
Owner

sullo commented Nov 1, 2024 via email

@top-kat
Copy link

top-kat commented Nov 1, 2024

Here is a postman screenshot

image

This is a straight 404 with no content

@sullo
Copy link
Owner

sullo commented Nov 1, 2024

We need the raw response not interpreted by postman or anything. try using curl.
curl <url>

@top-kat
Copy link

top-kat commented Nov 1, 2024
edited
Loading

Thx for helping there, here is the result of the curl -v command:

curl http://localhost:9086/servlet/org.apache.catalina.Globals/%3Cscript%3Ealert\('Vulnerable'\)%3C/script%3E -v
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /servlet/org.apache.catalina.Globals/%3Cscript%3Ealert(Vulnerable)%3C/script%3E HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:50:58 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

If I don't set the -v option, it doesn't return a thing

@sullo
Copy link
Owner

sullo commented Nov 1, 2024

Well that wasn't helpful. Can you try this one?
curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"

@top-kat
Copy link

top-kat commented Nov 1, 2024 

curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /admin/cfg/configscreen.inc.php+ HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:59:27 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

@sullo
Copy link
Owner

sullo commented Nov 1, 2024
edited
Loading

I can't offer a suggestion at this point. I don't see any obvious reason why it is giving a FP.

Nikto works by analyzing the HTTP response and looking for a certain code or response content matching. In the cases you pasted, it is responding with a 404 so Nikto should not be confused and report FP on some of them which are looking for a 200 response.

My best guess is the 404 detection has misidentified how the server works. I can't really troubleshoot that further since I don't have direct access to the server/configuration/app.

We might get a clue into the 404 detection if you run this and paste the output:
./nikto.pl -h http://localhost:9086/ -D D | grep php+

It should look something like this:

V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php=
V:Fri Nov  1 10:08:49 2024 - 302 for GET:	/5I2gyXy1.php=
V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3
V:Fri Nov  1 10:08:49 2024 - 302 for GET:	/5I2gyXy1.php3
V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3+
V:Fri Nov  1 10:08:49 2024 - 302 for GET:	/5I2gyXy1.php3+
V:Fri Nov  1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php
V:Fri Nov  1 10:08:50 2024 - 302 for GET:	/5I2gyXy1.php
V:Fri Nov  1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php+
V:Fri Nov  1 10:08:50 2024 - 302 for GET:	/5I2gyXy1.php+

@top-kat
Copy link

top-kat commented Nov 1, 2024

This doesn't exactly look like what you provided...it's an extremely long output, here is an extract:

Maybe it's worth mentionning I am on MacOs ?

Details

D:Fri Nov 1 15:11:38 2024 'Result Hash' = {
'access-control-allow-credentials' => 'true',
'connection' => 'keep-alive',
'content-length' => 0,
'content-security-policy' => 'default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests',
'cross-origin-opener-policy' => 'same-origin',
'cross-origin-resource-policy' => 'same-origin',
'date' => 'Fri, 01 Nov 2024 14:11:38 GMT',
'keep-alive' => 'timeout=5',
'referrer-policy' => 'no-referrer',
'strict-transport-security' => 'max-age=15552000; includeSubDomains',
'vary' => 'Origin',
'whisker' => {
'MAGIC' => 31340,
'code' => 404,
'data' => '',
'header_order' => [
'content-security-policy',
'cross-origin-opener-policy',
'cross-origin-resource-policy',
'referrer-policy',
'strict-transport-security',
'x-content-type-options',
'x-dns-prefetch-control',
'x-download-options',
'x-frame-options',
'x-permitted-cross-domain-policies',
'x-xss-protection',
'vary',
'access-control-allow-credentials',
'date',
'connection',
'keep-alive',
'content-length'
],
'http_data_sent' => 1,
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'lowercase_incoming_headers' => 1,
'message' => 'Not Found',
'protocol' => 'HTTP',
'socket_state' => 1,
'stats_reqs' => 6717,
'stats_syns' => 13,
'uri' => '/data/owncloud.log',
'uri_requested' => '/data/owncloud.log',
'version' => '1.1'
},
'x-content-type-options' => 'nosniff',
'x-dns-prefetch-control' => 'off',
'x-download-options' => 'noopen',
'x-frame-options' => 'SAMEORIGIN',
'x-permitted-cross-domain-policies' => 'none',
'x-xss-protection' => 0
};
D:Fri Nov 1 15:11:38 2024 'Request Hash' = {
'Connection' => 'Keep-Alive',
'Host' => 'localhost',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'whisker' => {
'MAGIC' => 31339,
'force_bodysnatch' => 0,
'force_close' => 0,
'force_open' => 0,
'host' => 'localhost',
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'ignore_duplicate_headers' => 0,
'include_host_in_uri' => 0,
'invalid_protocol_return_value' => 1,
'keep-alive' => 1,
'lowercase_incoming_headers' => 1,
'max_size' => 750000,
'method' => 'GET',
'normalize_incoming_headers' => 1,
'port' => 9086,
'protocol' => 'HTTP',
'require_newline_after_headers' => 0,
'retry' => 0,
'ssl' => 0,
'ssl_certfile' => undef,
'ssl_rsacertfile' => undef,
'ssl_save_info' => 1,
'timeout' => 10,
'trailing_slurp' => 0,
'uri' => '/cloud/data/owncloud.log',
'uri_param_sep' => '?',
'uri_postfix' => '',
'uri_prefix' => '',
'version' => '1.1'
}
};
D:Fri Nov 1 15:11:38 2024 'Result Hash' = {
'access-control-allow-credentials' => 'true',
'connection' => 'keep-alive',
'content-length' => 0,
'content-security-policy' => 'default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests',
'cross-origin-opener-policy' => 'same-origin',
'cross-origin-resource-policy' => 'same-origin',
'date' => 'Fri, 01 Nov 2024 14:11:38 GMT',
'keep-alive' => 'timeout=5',
'referrer-policy' => 'no-referrer',
'strict-transport-security' => 'max-age=15552000; includeSubDomains',
'vary' => 'Origin',
'whisker' => {
'MAGIC' => 31340,
'code' => 404,
'data' => '',
'header_order' => [
'content-security-policy',
'cross-origin-opener-policy',
'cross-origin-resource-policy',
'referrer-policy',
'strict-transport-security',
'x-content-type-options',
'x-dns-prefetch-control',
'x-download-options',
'x-frame-options',
'x-permitted-cross-domain-policies',
'x-xss-protection',
'vary',
'access-control-allow-credentials',
'date',
'connection',
'keep-alive',
'content-length'
],
'http_data_sent' => 1,
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'lowercase_incoming_headers' => 1,
'message' => 'Not Found',
'protocol' => 'HTTP',
'socket_state' => 1,
'stats_reqs' => 6718,
'stats_syns' => 13,
'uri' => '/cloud/data/owncloud.log',
'uri_requested' => '/cloud/data/owncloud.log',
'version' => '1.1'
},
'x-content-type-options' => 'nosniff',
'x-dns-prefetch-control' => 'off',
'x-download-options' => 'noopen',
'x-frame-options' => 'SAMEORIGIN',
'x-permitted-cross-domain-policies' => 'none',
'x-xss-protection' => 0
};
D:Fri Nov 1 15:11:38 2024 'Request Hash' = {
'Connection' => 'Keep-Alive',
'Host' => 'localhost',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'whisker' => {
'MAGIC' => 31339,
'force_bodysnatch' => 0,
'force_close' => 0,
'force_open' => 0,
'host' => 'localhost',
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'ignore_duplicate_headers' => 0,
'include_host_in_uri' => 0,
'invalid_protocol_return_value' => 1,
'keep-alive' => 1,
'lowercase_incoming_headers' => 1,
'max_size' => 750000,
'method' => 'GET',
'normalize_incoming_headers' => 1,
'port' => 9086,
'protocol' => 'HTTP',
'require_newline_after_headers' => 0,
'retry' => 0,
'ssl' => 0,
'ssl_certfile' => undef,
'ssl_rsacertfile' => undef,
'ssl_save_info' => 1,
'timeout' => 10,
'trailing_slurp' => 0,
'uri' => '/owncloud/data/owncloud.log',
'uri_param_sep' => '?',
'uri_postfix' => '',
'uri_prefix' => '',
'version' => '1.1'
}
};
D:Fri Nov 1 15:11:38 2024 'Result Hash' = {
'access-control-allow-credentials' => 'true',
'connection' => 'keep-alive',
'content-length' => 0,
'content-security-policy' => 'default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests',
'cross-origin-opener-policy' => 'same-origin',
'cross-origin-resource-policy' => 'same-origin',
'date' => 'Fri, 01 Nov 2024 14:11:38 GMT',
'keep-alive' => 'timeout=5',
'referrer-policy' => 'no-referrer',
'strict-transport-security' => 'max-age=15552000; includeSubDomains',
'vary' => 'Origin',
'whisker' => {
'MAGIC' => 31340,
'code' => 404,
'data' => '',
'header_order' => [
'content-security-policy',
'cross-origin-opener-policy',
'cross-origin-resource-policy',
'referrer-policy',
'strict-transport-security',
'x-content-type-options',
'x-dns-prefetch-control',
'x-download-options',
'x-frame-options',
'x-permitted-cross-domain-policies',
'x-xss-protection',
'vary',
'access-control-allow-credentials',
'date',
'connection',
'keep-alive',
'content-length'
],
'http_data_sent' => 1,
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'lowercase_incoming_headers' => 1,
'message' => 'Not Found',
'protocol' => 'HTTP',
'socket_state' => 1,
'stats_reqs' => 6719,
'stats_syns' => 13,
'uri' => '/owncloud/data/owncloud.log',
'uri_requested' => '/owncloud/data/owncloud.log',
'version' => '1.1'
},
'x-content-type-options' => 'nosniff',
'x-dns-prefetch-control' => 'off',
'x-download-options' => 'noopen',
'x-frame-options' => 'SAMEORIGIN',
'x-permitted-cross-domain-policies' => 'none',
'x-xss-protection' => 0
};
D:Fri Nov 1 15:11:38 2024 'Request Hash' = {
'Connection' => 'Keep-Alive',
'Host' => 'localhost',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'whisker' => {
'MAGIC' => 31339,
'force_bodysnatch' => 0,
'force_close' => 0,
'force_open' => 0,
'host' => 'localhost',
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'ignore_duplicate_headers' => 0,
'include_host_in_uri' => 0,
'invalid_protocol_return_value' => 1,
'keep-alive' => 1,
'lowercase_incoming_headers' => 1,
'max_size' => 750000,
'method' => 'GET',
'normalize_incoming_headers' => 1,
'port' => 9086,
'protocol' => 'HTTP',
'require_newline_after_headers' => 0,
'retry' => 0,
'ssl' => 0,
'ssl_certfile' => undef,
'ssl_rsacertfile' => undef,
'ssl_save_info' => 1,
'timeout' => 10,
'trailing_slurp' => 0,
'uri' => '/ownCloud/data/owncloud.log',
'uri_param_sep' => '?',
'uri_postfix' => '',
'uri_prefix' => '',
'version' => '1.1'
}
};

@sullo
Copy link
Owner

sullo commented Nov 1, 2024

Ahh crap, I mis-typed. Use -D v instead of -D D

@top-kat
Copy link

top-kat commented Nov 1, 2024

Here it is!

./nikto.pl -h http://localhost:9086/ -D v | grep php+
+ ERROR: Unable to open database file db_headers_suggested: .
V:Fri Nov  1 15:35:36 2024 - Testing error for file: /XsvbtEWs.php+
V:Fri Nov  1 15:35:36 2024 - 404 for GET:	/XsvbtEWs.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/admin/cfg/configscreen.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/admin/cfg/configsite.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/admin/cfg/configsql.inc.php+
V:Fri Nov  1 15:35:42 2024 - 429 for GET:	/admin/cfg/configtache.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/admin/modules/cache.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/admin/settings.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/functions.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/modules/Downloads/voteinclude.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/modules/WebChat/in.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/modules/Your_Account/navbar.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/options.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:	/shop/php_files/site.config.php+
V:Fri Nov  1 15:35:43 2024 - 404 for GET:	/uifc/MultFileUploadHandler.php+

@sullo
Copy link
Owner

sullo commented Nov 1, 2024

There is absolutely no reason it should be giving a FP on /admin/cfg/configscreen.inc.php+ at least; that seems clear.

I think this is the end of my ability to troubleshoot w/o access to the server. Unfortunately it looks like a code bug and that would take time to track down and a complicated fix, which is fine but... I can't access the system.

@top-kat
Copy link

top-kat commented Nov 1, 2024

Ok thx for that investigation by the way, I'll be there if you need further informations :)

@digininja
Copy link
Contributor

digininja commented Nov 1, 2024 via email

@sullo
Copy link
Owner

sullo commented Nov 1, 2024

@digininja if you create it'll test it :)

@digininja
Copy link
Contributor

Challenge finally accepted!

$ ~/tools/web/nikto/program/nikto.pl -host https://vuln-demo.com
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          5.196.105.14
+ Target Hostname:    vuln-demo.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:           Subject:  /CN=badclick.vuln-demo.com
                      Ciphers:  TLS_AES_256_GCM_SHA384
                      Issuer:   /C=US/O=Let's Encrypt/CN=E5
+ Start Time:         2024-11-08 11:11:24 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ /: Retrieved access-control-allow-origin header: *.
+ /zXeTyxZ1.php#: Retrieved x-powered-by header: Rainbows and XSS<script>alert(1)</script>.
+ /zXeTyxZ1.php#: Uncommon header(s) 'do_not_hack_me' found, with contents: Please.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: The Content-Encoding header is set to "deflate" which may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ /: Suggested security header missing: referrer-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ /: Suggested security header missing: permissions-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+ /: Suggested security header missing: content-security-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ Hostname 'vuln-demo.com' does not match certificate's names: badclick.vuln-demo.com. See: https://cwe.mitre.org/data/definitions/297.html
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /admin/cfg/configscreen.inc.php+:X-Frame-Options header is deprecated and was replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Heade
rs/X-Frame-Options
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.

The false positive is on the last line.

@sullo
Copy link
Owner

sullo commented Dec 26, 2024
edited
Loading

< HTTP/1.1 404 Not Found

finally getting around to this on my vacation... @digininja your response is a 200 OK, which triggers it, but is not the same condition as the OP (which is a 404). Even forcing the response to 404 in the code doesn't give me the FP.

@Gitabhsuosowo are you still able to help debug? this will make it run faster and just the one test if you can.

grep configscreen.inc.php databases/db_tests > databases/udb_tests
./nikto.pl -h [TARGET] -S . -Cgidirs none -Userdbs tests -Plugins "@@NONE;tests;404;fileops"

when done, look in the created "savedir_*" folder and there should be one file. In it, we are looking for this on that configtest.php response:

Test ID:  	002272
References:
Message:  	/admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
Reason:   	Response Code Match

that Reason answer wll help debug. thanks!

@digininja
Copy link
Contributor

digininja commented Dec 26, 2024 via email

@sullo
Copy link
Owner

sullo commented Dec 27, 2024

It is returning a 404 now in case it helps.

V:Thu Dec 26 21:51:11 2024 - 404 for GET:	/admin/cfg/configscreen.inc.php+
+ 9 requests: 0 error(s) and 0 item(s) reported on remote host

working fine now 💀

not sure what else to do at this point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@digininja @sullo @top-kat @Gitabhsuosowo